ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

visual-content

v1.0.1

When the user wants to plan, create, or repurpose visual content (images, infographics, social post images) across channels. Also use when the user mentions...

0· 122·1 current·1 all-time
by@kostja94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md provides practical guidance for planning and repurposing visuals across channels. References to related internal skills (image-optimization, brand-visual-generator, platform skills) are consistent with the stated purpose.
!
Instruction Scope
The instructions explicitly direct the agent to 'Check for project context first: If .claude/project-context.md or .cursor/project-context.md exists, read Section 12 (Visual Identity) for brand consistency.' These are specific local file paths the agent is told to read at runtime, but the skill declares no required config paths. Asking the agent to read workspace files (and a specific section) expands its access beyond what the metadata advertises and could surface sensitive brand or other project data. The SKILL.md otherwise does not instruct data exfiltration or network calls, and most actions stay within content planning scope.
Install Mechanism
Instruction-only skill with no install spec, no downloaded artifacts, and no binaries declared — this is low installation risk.
Credentials
The skill requests no environment variables, credentials, or config paths in metadata, which is proportionate for a content-planning helper. However, the runtime instructions nonetheless reference reading local project files that are not declared, which is a discrepancy to be aware of.
Persistence & Privilege
Flags show always: false and normal model invocation. The skill does not request persistent presence or claim it will modify other skills or system-wide settings.
What to consider before installing
This skill looks like a normal content/visual planning helper and has no installers or credential requests, but its instructions tell the agent to read local project-context files (.claude/project-context.md and .cursor/project-context.md) even though the skill metadata doesn't declare those as required config paths. That means the agent could access workspace files you might not expect it to. Before installing or enabling: (1) Inspect those project-context files (or remove/sanitize them) if they contain any sensitive info; (2) ask the skill author to explicitly declare file access in the metadata (requires.configPaths) or to make file-reading conditional on explicit user permission; (3) run the skill in a sandbox or only on projects where those files are safe to share; and (4) if you need clarification, request a version of the skill that prompts the user before reading any local files. These steps will reduce the risk that the agent unintentionally reads sensitive project data.

Like a lobster shell, security has layers — review code before you run it.

latestvk970g0tbzh5aj85wxrxj5td97183xb5w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments